Re: CSP required reporting a bad precedent?

Hello, public-privacy. :)

On Sun, Oct 14, 2012 at 1:57 PM, Fred Andrews <fredandw@live.com> wrote:

> The CSP spec. is nearing recommendation and I have been trying to make a
> case for reporting to be optional which would allow the UA to choose to
> make reporting opt-in or to report to the user if desired.  My suggestions
> to the WG have been met with ridicule and with claims that the reporting
> does not reveal any information not already known to the content author.
>

For context, the original threads are
http://lists.w3.org/Archives/Public/public-webappsec/2012Sep/0039.html and
http://lists.w3.org/Archives/Public/public-webappsec/2012Sep/0043.html. The
discussion is up and running again currently in the context of moving to CR
at http://lists.w3.org/Archives/Public/public-webappsec/2012Oct/0008.html.

It does seem to be the case that the several folks in the WG don't agree
with your conclusions, but I personally and publicly apologize if you felt
ridiculed; I don't believe that was anyone's intent.

I am preparing a final response to the WG regarding CSP on the issue of the
> required reporting and would welcome any input.
>

We'd welcome input on public-webappsec as well. Might be worth keeping the
conversation in one place.

The spec in question is http://www.w3.org/TR/CSP/

Thanks!

--
Mike West <mkwst@google.com>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Received on Monday, 15 October 2012 10:18:32 UTC